CVE-2025-52787

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EZiHosting Tennis Court Bookings tennis-court-bookings allows Reflected XSS.This issue affects Tennis Court Bookings: from n/a through <= 1.2.7.

AnalysisAI

Reflected cross-site scripting (XSS) in EZiHosting Tennis Court Bookings WordPress plugin through version 1.2.7 allows unauthenticated attackers to inject malicious scripts into web pages viewed by administrators and users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The Tennis Court Bookings plugin (WordPress plugin identified via Patchstack database) fails to properly sanitize user-supplied input before rendering it in dynamically generated web pages. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted data from URL parameters or form submissions is echoed back to the browser without encoding or validation. The vulnerability affects the plugin across all versions from initial release through version 1.2.7. WordPress plugins are PHP-based extensions that extend WordPress functionality; when they fail to escape output, they create XSS attack surface within the WordPress admin dashboard and public-facing pages. The plugin likely uses direct parameter rendering in templates without leveraging WordPress security functions like wp_kses_post() or esc_html().

Affected ProductsAI

EZiHosting Tennis Court Bookings WordPress plugin is affected in all versions from initial release through and including version 1.2.7. The plugin is distributed via the WordPress plugin repository and identified in the Patchstack vulnerability database.

RemediationAI

Update the Tennis Court Bookings plugin to a patched version released after 1.2.7. WordPress administrators should navigate to Plugins > Installed Plugins and click Update if available, or remove the plugin if no patched version is available. As a temporary workaround pending plugin update, restrict access to the plugin's functionality to trusted administrators only via WordPress user role management, or disable the plugin entirely if not actively used. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tennis-court-bookings/vulnerability/wordpress-tennis-court-bookings-1-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve for the specific patched version number and additional guidance.

Share

CVE-2025-52787 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy